The point: Attackers published 639 malicious versions across 323 packages (279 from the @antv namespace) and exfiltrated credentials for AWS, Google Cloud, Azure, GitHub, and Docker access.
A new supply-chain attack has compromised the npm maintainer account atool and distributed over 600 malicious package versions across the AntV ecosystem. The malware steals over 20 types of login credentials, including GitHub, npm, and cloud tokens.
Cybersecurity researchers have discovered a supply-chain attack that compromised the npm maintainer account atool. The account controls several widely used packages, including echarts-for-react with approximately 1.1 million downloads per week. Socket documented the attack and attributes it to the ongoing Mini Shai-Hulud campaign.
The affected packages include core components of the AntV visualization library: @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin, and @antv/data-set. This is supplemented by dependent packages such as timeago.js, size-sensor, and canvas-nest.js. The attacker published 639 malicious versions across 323 unique packages in a 22-minute burst — evidence of automated mass distribution using a stolen token.
The malware payload harvests over 20 categories of credentials, specifically login data for AWS, Google Cloud, Microsoft Azure, GitHub, npm, SSH, Kubernetes, Vault, Stripe, as well as database connection strings. It also attempts to escape from Docker containers via host sockets. The data is compressed, encrypted, and exfiltrated to t.m-kosche[.]com:443. As a fallback mechanism, the malware uses stolen GitHub tokens to create public repositories under the victim’s account and commit the data as JSON files. StepSecurity documented over 2,500 such repositories with the description “niagA oG eW ereH :duluH-iahS” (backwards: “Shai-Hulud: Here We Go Again”). This number sets a lower bound for compromised environments whose credentials were successfully exfiltrated.
The malware module for npm propagation uses stolen npm tokens to validate these via the npm registry, then enumerates packages of the token holder, downloads package tarballs, injects the malicious payload, adds a preinstall hook (bun run index.js), increments the package version, and republishes under the maintainer’s identity. 630 of the 637 malicious versions additionally inject an optionalDependencies entry that delivers a second copy of the payload via the GitHub repository antvis/G2.
Source: ainews-dev.lumi-systems.io · Published May 19, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 of the EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.5.2.